A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress.

While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the ‘Disqus Comment System’ Plugin, making it one of the popular plugins of Wordpress for web comments and discussions.

The security team at the security firm Sucuridiscovered a critical Remote Code Execution (RCE) flaw while analyzing some custom JSON parser of the Disqus plugin and found that the variable parsing function could allow anyone to execute commands on the server using insecurely coded PHP eval() function.

WHO ARE VULNERABLE

The Remote Code Execution (RCE) Vulnerability could be triggered by a remote attacker, only if it is using following application versions on the server/website.

PHP version 5.1.6 or earlier

WordPress 3.1.4 or earlier

Wordpress Plugin Disqus Comment System 2.75 or earlier

HOW TO EXPLOIT DISQUS

For successful exploitation an attacker can push its custom payload, for example {${phpinfo()}} as a comment on the targeted post/page and then he only need to open the following ‘Comment Synchronization’ url with the targeted post ID in order to take advantage of the vulnerability.

http://somesite.com/?cf_action=sync_comments&post_id=TARGET_POST_ID

“While the flaw itself is very dangerous” reads the blog post. “That's it, looks simple right? So if you are using an outdated version of WordPress/PHP, you need to update Disqus asap.”

At the beginning of the month, the same security researchers’ team at Sucuri, discovered a critical vulnerability in the content management platform, All in One SEO Pack, a plugin that optimizes WordPress for search engines, which potentially left millions of websites vulnerable to the attackers.

HOW TO PATCH VULNERABILITY

If left unpatched, the flaw could allow any potential attacker to do anything he wants with a vulnerable website. So, it is highly recommended to those using an outdated versions of WordPress, Disqus Comment Plugin 2.76and PHP to upgrade to the latest version as soon as possible.

WordPress users should be able to update their Disqus plugin by signing into their WordPress administrative panel > Disqus Comment System plugin > drop-down at the top or bottom of the page > click “Update.” Users can also manually update the plugin by overwriting the plugin files directly into the WordPress’ plugin directory.